Cisco 837 IPSEC Linksys WAG54g

Discussion in 'Cisco' started by Systematic, Jul 11, 2005.

  1. Systematic

    Systematic Guest

    Has anoyone successfully managed to setup an IPSEC tunnel with a Cisco
    router and Linksys WAG54g ?

    As I have managed to establish an actual tunnel but nothing will route
    between the networks. Cant ping machines at either end.

    Any ideas ?
     
    Systematic, Jul 11, 2005
    #1
    1. Advertisements

  2. Systematic

    Uli Link Guest

    Not a Linksys WAG54g, but Allnet 1294VPN and Netgear FVS318 and Safenet
    Softremote IPsec client (and other Cisco IOS routers)
    Don't have a 837, but a 836 instead ;-)
    Yes. But there are many traps with FW, NAT, ACLs and the routing table.
    Describe your setup a little closer.
     
    Uli Link, Jul 11, 2005
    #2
    1. Advertisements

  3. Systematic

    Systematic Guest

    Well have a Cisco 837 at one end of connection on 192.168.0.0 with NAT
    running on the internal range.

    Other end has Linksys WAG54g 192.168.1.0 also with NAT.

    I can see the tunnel establish under the connections screen on the linksys
    and also when debug on the Cisco router.

    But when trying to ping either end just get no replies from either end.

    Do you have an example of a configuration you have got working successfully
    ?

    Thanks
    Matt
     
    Systematic, Jul 11, 2005
    #3
  4. Systematic

    Uli Link Guest

    So have to exclude traffic from 192.168.0.0/24 to 192.168.1.0/24 from
    being natted.

    What do you mean by "see tunnel establish"?
    You'll need one SA for the IKE and two SAs for the dataflow in each
    direction.
    When using ping from exec of the Cisco you'll need to specify
    "ping tag 192.168.1.1 source Ethernet0"
    the following works for me with dynamic IPs on both sides.
    It is easier when you restrict by know WAN IP address, or at least a
    range of addresses for the preshared key.
    3DES-SHA1 with PFS/DH group 2

    !
    crypto isakmp policy 5
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp key YourPreSharedKey address 0.0.0.0 0.0.0.0 no-xauth
    !
    crypto isakmp identity hostname
    !
    crypto ipsec transform-set tfs-3des esp-3des esp-sha-hmac
    !
    crypto identity id-list-100
    description FQDN-OF-REMOTE-SITE
    fqdn yourremote-fqdn.domainname.dom
    !
    crypto map your_cmap_1 10 ipsec-isakmp
    description YOUR-IPSEC-TUNNEL
    set peer yourremote-fqdn.domainname.dom dynamic
    set security-association lifetime kilobytes 256000
    set security-association lifetime seconds 28800
    set transform-set tfs-3des
    set pfs group2
    set identity id-list-100
    match address 120
    reverse-route
    !
    interface Dialer 0
    crypto map your_cmap_1
    !
    ip nat inside source route-map NAT_ROUTEMAP interface Dialer0 overload
    !
    !
    route-map NAT_ROUTEMAP permit 1
    match ip address 102
    !
    access-list 102 remark First exclude IPsec Tunnel from natting
    access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 102 remark Now the traffic being natted
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    access-list 102 deny ip any any
    !
    access-list 120 remark Traffic matching will be protected
    access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    !

    If it won't work with the Linksys, try using MD5 instead of SHA1 and
    perhaps turning of PFS. If you want AES instead of 3DES you'll need to
    turn of hardware encryption.
     
    Uli Link, Jul 11, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.